Page 1 of 1
Older Noscript-Version bypassed ?
Posted: Thu Jan 01, 2015 5:03 pm
by newhere
hi,
some days ago i got redirected to one of these fake-police-sites who claim to block your computer and browser. I use Noscript for FF, but i still got this "Leave Page... Stay on Page" dialog box when i closed the tab, and so far as i know, is javascript recommended to do that, but Noscript was enabled and configured correctly!
Can Html or something similar show this box without getting blocked by Noscript? Or has my NS-Version a bug, to bypass this? Cause i use an older version (2.6.8.5), anyone knows a bug like this in this version? (checked changelog, but couldnt find something, im not an expert).
Thanks!
Re: Older Noscript-Version bypassed ?
Posted: Thu Jan 01, 2015 5:39 pm
by barbaz
It's a known bug that has long since been fixed, please
update NoScript to the latest version (2.6.9.10 at the time of writing)
(v 2.6.8.5 can't block inline JS in Gecko > 27)
Re: Older Noscript-Version bypassed ?
Posted: Fri Jan 02, 2015 3:28 pm
by newhere
hi,
thanks! Is this a dangerous Bug? Can Websites use dangerous scripts through this bug?
Couldnt find this in the changelog, am i too dumb to find this, or is it really not listed there?
Re: Older Noscript-Version bypassed ?
Posted: Fri Jan 02, 2015 4:02 pm
by barbaz
newhere wrote:Is this a dangerous Bug? Can Websites use dangerous scripts through this bug?
Yes and yes!! 
newhere wrote:Couldnt find this in the changelog, am i too dumb to find this, or is it really not listed there?
I think you just don't know the keywords to look for, so here's the (potentially) relevant parts:
https://noscript.net/changelog wrote:
v 2.6.8.19rc2
=========================================================================
x Fixed CAPS initialization broken in Gecko 27 and below
<...>
v 2.6.8.18rc2
=========================================================================
<...>
- Disabled CAPS-based script blocking for Gecko 28 and above
<...>
v 2.6.8.11rc6
=========================================================================
<...>
x Adopted the Components.utils.blockScriptForGlobal() API where possible
<...>
v 2.6.8.8rc2
=========================================================================
+ Enforce docShell-based script blocking for Gecko > 28
Re: Older Noscript-Version bypassed ?
Posted: Sat Jan 03, 2015 6:19 pm
by newhere
k, thanks!
Do you think it was a coincidence that this site bypassed noscript? Or was it on purpose? Ok, those websites just work with Javascript but on Firefox their Script doesnt work as they want anyways, with FF it just pop ups this "Leave Page..." Message, also without Noscript, so far as i know.
Re: Older Noscript-Version bypassed ?
Posted: Sat Jan 03, 2015 6:54 pm
by barbaz
newhere wrote:Do you think it was a coincidence that this site bypassed noscript? Or was it on purpose?
Neither, it's a bug in NoScript caused by Mozilla completely removing the API NoScript was using to block inline scripts. You're just
*really* lucky sites running inline javascripts when you don't think so hasn't been a problem for you yet.